b'February 2006\nReport No. 06-007\n\n\nAudit of the FDIC\xe2\x80\x99s Security\nCertification and Accreditation Program\n\n\n\n\n             AUDIT REPORT\n\x0cFederal Deposit Insurance Corporation                                                                    Office of Audits\n801 17th Street NW, Washington, DC 20434                                                    Office of Inspector General\n\n\n\n\nDATE:                                  February 15, 2006\n\nMEMORANDUM TO:                         Michael E. Bartell, CIO and Director\n                                       Division of Information Technology\n\n\n\nFROM:                                  Russell A. Rau[Electronically produced version; original signed by Russell A. Rau]\n                                       Assistant Inspector General for Audits\n\nSUBJECT:                               Audit of the FDIC\xe2\x80\x99s Security Certification and Accreditation\n                                       Program (Report No. 06-007)\n\n\nAttached is a copy of the subject report prepared by KPMG LLP under a contract with the Office\nof Inspector General. Please refer to the Executive Summary for the overall audit results. The\nfirm\xe2\x80\x99s report is presented as Part I of this document.\n\nA summary and evaluation of your response, the response in its entirety, and the status of the\nrecommendation are contained in Part II of this report. The response adequately addressed the\nrecommendation in the report. We consider the recommendation to be resolved, but it will\nremain open until we have determined that agreed-to-corrective actions have been completed and\nare effective.\n\nIf you have any questions concerning the report, please contact Stephen M. Beard, Deputy\nAssistant Inspector General for Audits, at (202) 416-4217, or Mark Mulholland, Director,\nSystems Management and Security Audits Directorate, at (202) 416-2944. We appreciate the\ncourtesies extended to the audit staff.\n\nAttachment\n\ncc: James H. Angel, Jr., OERM\n    Rack Campbell, DIT\n\x0c                                                                                          Report No. 06-007\n                                                                                             February 2006\n\n\n\n                                  The FDIC\xe2\x80\x99s Security Certification and Accreditation\n                                  Program\n                                  Results of Audit\nBackground and\nPurpose of Audit                  The FDIC established and implemented C&A policies, procedures, and\n                                  practices that were satisfactory and consistent with federal standards and\nThe Federal Deposit               guidelines. The FDIC continued to build its C&A program during 2005 in\nInsurance Corporation (FDIC)      response to evolving National Institute of Standards and Technology\nOffice of Inspector General       guidance, and additional improvements were underway at the close of our\n(OIG) contracted with KPMG        field work. Further, the FDIC had undertaken action to address certain\nLLP (KPMG) to audit and           C&A-related matters previously identified in the OIG\xe2\x80\x99s September 2005\nreport on the FDIC\xe2\x80\x99s security\n                                  security evaluation report required by FISMA.\ncertification and accreditation\n(C&A) program. The results\nof this audit support the FDIC    The FDIC can further strengthen its C&A program by:\nOIG in fulfilling its\nevaluation and reporting             \xe2\x80\xa2   enhancing system sensitivity assessment guidance to describe how\nresponsibilities under the               final security categorizations are determined;\nFederal Information Security         \xe2\x80\xa2   ensuring that application security plans adequately describe how\nManagement Act (FISMA).                  common security controls and general support systems critical to\nThe Office of Management                 the security of the application are considered in the application\'s\nand Budget requires agencies             C&A;\nto certify and accredit their        \xe2\x80\xa2   ensuring the cost-benefit of alternative control solutions for\ninformation systems                      reducing or eliminating vulnerabilities;\nconsistent with federal              \xe2\x80\xa2   enhancing written procedures for defining the nature and scope of\nsecurity policies, standards,            testing, managing system-level plans of action and milestones,\nand guidelines. Certification            accepting risks associated with system security weaknesses, and\ninvolves the evaluation of an\n                                         issuing interim systems authorizations; and\ninformation system\xe2\x80\x99s\nmanagement, operational, and         \xe2\x80\xa2   establishing formal milestone reviews at key points in the C&A\ntechnical security controls.             process to ensure that critical documentation is current, accurate,\nAccreditation involves a                 and complete.\nsenior agency official\xe2\x80\x99s\nauthorization of an               These program enhancements will provide FDIC management with greater\ninformation system to             assurance that system security risks are effectively managed and that C&A\noperate. The certification and    practices are consistently applied throughout the Corporation. We also\naccreditation of federal          performed benchmarking with other federal agencies and included the\ninformation systems is critical   results in this report.\nto securing the government\xe2\x80\x99s\noperations and assets.\n                                  Recommendation\nThe audit objective was to\ndetermine whether the FDIC\xe2\x80\x99s      KPMG recommended that the FDIC\xe2\x80\x99s Chief Information Officer\nsecurity C&A policies,            strengthen the FDIC\xe2\x80\x99s C&A policies, procedures, and guidelines by\nprocedures, and practices         considering and addressing, as appropriate, the issues described in this\nwere satisfactory and             report. The FDIC\xe2\x80\x99s comments were responsive to the recommendation.\nconsistent with federal\nstandards and guidelines.\n\nTo view the full report, go to\nwww.fdicig.gov/2006reports.asp\n\x0c                                    Table of Contents\n\n\n\nPart I:\n\n           Report by KPMG LLP\n           Audit of the FDIC\xe2\x80\x99s Security Certification and Accreditation Program   I-1\n\n\nPart II:\n           Corporation Comments and OIG Evaluation                                II-1\n           Corporation Comments                                                   II-2\n           Management Response to Recommendation                                  II-3\n\x0c      Part I\n\n\nReport by KPMG LLP\n\x0c                 Audit of the FDIC\xe2\x80\x99s\n Security Certification and Accreditation Program\n\n\n\n                            Prepared for the\n                 Federal Deposit Insurance Corporation\n                      Office of Inspector General\n\n\n\n\nSubmitted by:\nKPMG LLP\nRisk and Advisory Services\n2001 M. Street, NW\nWashington, DC 20036-3389\n\x0c   Audit of the FDIC\xe2\x80\x99s Security Certification\n          and Accreditation Program\n\n\n\n\n                   Prepared by KPMG LLP\n\n\n\n\nIntroduction\n\n\xe2\x80\xa2 OIG contracted with KPMG LLP (KPMG) to audit and\n  report on the FDIC\xe2\x80\x99s security certification and accreditation\n  (C&A) program.\n\xe2\x80\xa2 KPMG conducted its work from April through November\n  2005 in accordance with generally accepted government\n  auditing standards. KPMG performed certain follow-up\n  procedures subsequent to field work to consider recent\n  improvements in the FDIC\xe2\x80\x99s C&A program.\n\n\n\n\n                                I-2\n\x0cIntroduction (Cont.)\n\n\xe2\x80\xa2 Certification involves the evaluation of an information\n  system\xe2\x80\x99s management, operational, and technical security\n  controls.\n\xe2\x80\xa2 Accreditation involves a senior agency official\xe2\x80\x99s authorization\n  of an information system to operate.\n\xe2\x80\xa2 By accrediting an information system, the senior agency\n  official accepts the risks associated with the system\xe2\x80\x99s\n  operation.\n\n\n\n\nIntroduction (Cont.)\n\n\xe2\x80\xa2 Agencies are required by Office of Management and Budget\n  (OMB) policy to certify and accredit their information systems\n  consistent with federal standards and guidelines issued by the\n  National Institute of Standards and Technology (NIST).\n\xe2\x80\xa2 In addition, federal Inspectors General are required by OMB\n  policy to assess and report on agency C&A programs as part\n  of their annual independent security evaluations mandated by\n  the Federal Information Security Management Act (FISMA).\n\xe2\x80\xa2 The results of this audit support the OIG in fulfilling its\n  evaluation and reporting responsibilities under FISMA.\n\n\n\n\n                               I-3\n\x0cObjective, Scope, and Methodology\n\xe2\x80\xa2 The objective was to determine whether the FDIC\xe2\x80\x99s C&A\n  policies, procedures, and practices were satisfactory and\n  consistent with federal standards and guidelines.\n\xe2\x80\xa2 The audit focused on the application of the FDIC\xe2\x80\x99s C&A\n  program policies, procedures, and guidelines to major\n  applications and general support systems.\n\xe2\x80\xa2 Key criteria included OMB policy and NIST standards and\n  special publications (SP), as identified in Attachment III.\n\n\n\n\nObjective, Scope, and Methodology (Cont.)\nNIST SP 800-37 divides the C&A process into 4 phases. The\naudit results are structured around these 4 phases.\n              C&A Phase                              Description\n                                        Review and agree upon security categorization,\n                 Initiation                 risk assessment, and security planning\n                                                        documentation.\n\n                                        Determine security control effectiveness, address\n               Certification           vulnerabilities in plan of action and milestone, and\n                                          provide certification agent\xe2\x80\x99s recommendations.\n\n                                       Decide on authorizing a system for production by\n               Accreditation             determining final risks to agency operations,\n                                                    assets, or individuals.\n\n               Continuous              Monitor controls of system placed in production\n                                      and track changes that may impact system security.\n               Monitoring*\n            Source: KPMG analysis of NIST SP 800-37.\n* KPMG did not fully evaluate the implementation of Continuous Monitoring due to the recent implementation\nof the applications selected for review. The OIG plans to perform more detailed work in this area in 2006.\n\n\n\n\n                                                    I-4\n\x0cObjective, Scope, and Methodology (Cont.)\n\xe2\x80\xa2 Key FDIC C&A policies, procedures, and guidelines\n  reviewed:\n    \xe2\x80\x93 Circular 1310.3, Information Technology Security Risk\n      Management Program\n    \xe2\x80\x93 Circular 1360.8, Information Security Categorization\n    \xe2\x80\x93 Division of Information Technology (DIT) Policy and Guidelines\n      on Certification and Accreditation (C&A)\n    \xe2\x80\x93 DIT\xe2\x80\x99s Risk Management Methodology\n\xe2\x80\xa2 C&A packages for three major applications selected for\n  detailed review:\n    \xe2\x80\x93 New Financial Environment (NFE) Phase I\n    \xe2\x80\x93 Legal Integrated Management System (LIMS)\n    \xe2\x80\x93 Asset Servicing Technology Enhancement Project\xe2\x80\x93Metavante\n\n\n\n\nObjective, Scope, and Methodology (Cont.)\n\xe2\x80\xa2 The FDIC OIG surveyed seven federal Inspectors General\n  to obtain certain information regarding their agencies\xe2\x80\x99 C&A\n  programs.\n\xe2\x80\xa2 The audit results build upon information we provided to\n  DIT throughout the audit:\n   \xe2\x80\x93 April 2005 CIO briefing on the NFE Phase I C&A package\n   \xe2\x80\x93 July 2005 DIT management briefing on the FDIC\xe2\x80\x99s C&A\n     policies and procedures\n   \xe2\x80\x93 September 2005 OIG FISMA report suggested improvements,\n     such as (a) ensuring plans of action and milestones (POA&Ms)\n     reflect all relevant security weaknesses (b) integrating processes\n     for identifying mission-critical applications with processes for\n     determining application availability for Federal Information\n     Processing Standards (FIPS) Publication (PUB)199 purposes and\n     (c) re-evaluating the 180-day duration for interim system\n     authorizations.\n\n\n\n\n                                    I-5\n\x0c Background\n\xe2\x80\xa2 Pursuant to its statutory responsibilities under FISMA, NIST\n  continues to develop risk-based security standards and\n  guidelines for securing federal information systems.\n\xe2\x80\xa2 NIST standards and guidelines are introducing significant\n  changes in how federal agencies, including the FDIC, protect\n  their information and systems.\n\xe2\x80\xa2 The President and OMB continue to place a high priority on\n  fully certifying and accrediting federal information systems.\n\xe2\x80\xa2 The FDIC has focused its C&A efforts to date on major\n  applications and general support systems. The FDIC plans to\n  place priority attention on its sensitive non-major applications\n  in 2006 to ensure that potential security risks associated with\n  these systems are addressed.\n\n\n\n\n Overall Results\n\xe2\x80\xa2 The FDIC\xe2\x80\x99s C&A policies, procedures, and practices were\n  satisfactory and consistent with federal standards and guidelines.\n\xe2\x80\xa2 The FDIC continued to build its C&A program throughout 2005 in\n  response to evolving NIST guidance, and additional improvements\n  were underway at the close of our field work.\n\xe2\x80\xa2 The audit identified opportunities for the FDIC to further strengthen\n  its C&A program policies, procedures, and guidelines. Generally,\n  these opportunities existed because the FDIC\xe2\x80\x99s C&A program has\n  been evolving in response to emerging NIST requirements and the\n  Corporation\xe2\x80\x99s security management needs.\n\xe2\x80\xa2 Addressing the issues in this report will provide FDIC management\n  greater assurance that system security risks are effectively managed\n  and that C&A practices are consistently applied throughout the\n  Corporation.\n\n\n\n\n                                   I-6\n\x0cFDIC C&A Program Accomplishments\n\n\xe2\x80\xa2 Established and implemented policies, procedures, and/or\n  guidelines to:\n   \xe2\x80\x93 Classify information systems and data\n   \xe2\x80\x93 Assess security risks\n   \xe2\x80\x93 Plan for security\n   \xe2\x80\x93 Test and evaluate system security controls\n   \xe2\x80\x93 Develop POA&Ms\n   \xe2\x80\x93 Ensure that system owners are actively engaged in C&A\n     program activities\n   \xe2\x80\x93 Standardize accreditation decisions\n   \xe2\x80\x93 Monitor system security controls\n\n\n\n\nFDIC C&A Program Accomplishments (Cont.)\n\n\xe2\x80\xa2 Implemented a risk-based approach to certify and accredit\n  the information systems that pose the greatest risk to the\n  FDIC (i.e., major applications and general support systems).\n\xe2\x80\xa2 Achieved process efficiencies by identifying and testing\n  \xe2\x80\x9ccommon\xe2\x80\x9d security controls that cross system boundaries,\n  such as personnel and physical security controls.\n\n\n\n\n                               I-7\n\x0cInitiation Phase - Areas That Can Be Strengthened\n\xe2\x80\xa2 Sensitivity Assessment Questionnaire (SAQ) guidance\n  should be enhanced to:\n   \xe2\x80\x93 Describe how the initial FIPS PUB 199 categorization (which\n     is based on an analysis of system data sensitivity and\n     categorizes the data into high, moderate, and low impact) can\n     be modified by the responses to SAQ questions in determining\n     an application\xe2\x80\x99s final FIPS PUB 199 categorization.\n   \xe2\x80\x93 Address requirements for documenting management\xe2\x80\x99s\n     rationale for maintaining or changing initial FIPS PUB 199\n     categorizations.\n\n\n\n\nInitiation Phase - Areas That Can Be Strengthened\n(Cont.)\n\xe2\x80\xa2 Application security plans include a description of the IT\n  environment in which the application operates. However,\n  guidance for preparing application security plans should be\n  enhanced to require that security plans describe how (a)\n  common security controls and (b) system components\n  critical to the security of the application (such as database\n  management and server operating systems) are considered in\n  the application\xe2\x80\x99s C&A.\n   \xe2\x80\x93 Provides greater clarification of system boundaries for C&A\n     purposes and greater assurance that all relevant risks are\n     considered when accrediting applications.\n   \xe2\x80\x93 Promotes efficiency because many relevant system\n     components are covered in other security plans and common\n     controls are covered in a separate Security Test and Evaluation\n     (ST&E).\n\n\n\n\n                                 I-8\n\x0c  Initiation Phase - Areas That Can Be Strengthened\n  (Cont.)\n \xe2\x80\xa2 Procedures for reducing or eliminating vulnerabilities identified\n   from risk assessments should be enhanced to better describe when\n   the cost-benefit of alternative control solutions should be\n   considered. The consideration of cost-benefits could be as simple\n   as a memorandum to the file and may accompany an\n   implementation plan.\n \xe2\x80\xa2 Procedures should be enhanced to establish an independent\n   milestone review before proceeding to the Certification Phase.\n   Such a \xe2\x80\x9ccheck point\xe2\x80\x9d would provide additional assurance that\n   system security categorizations, risk assessments, and security\n   plans are current, accurate, and complete.\n     \xe2\x80\x93 The Certification Agent plays a key role.\n     \xe2\x80\x93 The level of rigor should be consistent with the FIPS PUB 199\n       impact.\n\n\n\n\nCertification Phase - Areas That Can Be Strengthened\n\n  \xe2\x80\xa2 Procedures for planning and conducting ST&E should:\n     \xe2\x80\x93 Define the nature and scope of ST&E test case validations,\n       including requirements for ensuring independence in the\n       process.\n     \xe2\x80\x93 Include requirements for gathering, reviewing, and reusing\n       (where appropriate) previous assessments, audits, and\n       evaluation results. Such assessments and audit work can also\n       benefit Continuous Monitoring activities.\n\n\n\n\n                                     I-9\n\x0c Certification Phase - Areas That Can Be Strengthened\n (Cont.)\n  \xe2\x80\xa2 Procedures for preparing and managing POA&Ms should be\n    enhanced to define the Certification Agent\xe2\x80\x99s role in\n    providing recommendations to system owners to correct\n    security control deficiencies identified during ST&E.\n  \xe2\x80\xa2 Procedures for accepting moderate or high risk associated\n    with known security vulnerabilities should be enhanced to\n    ensure that:\n     \xe2\x80\x93 Relevant federal standards and guidelines are considered in\n       justifying decisions to accept risk.\n     \xe2\x80\x93 A standard format for accepting risk is used, such as DIT\xe2\x80\x99s\n       Memorandum of Acceptance of Risk, when circumstances\n       warrant (such as when the risk is high or moderate).\n\n\n\n\nCertification Phase- Areas That Can Be Strengthened\n(Cont.)\n  \xe2\x80\xa2 Procedures should be enhanced to establish an independent\n    milestone review by the Certification Agent before\n    proceeding to the Accreditation Phase. Such a review would\n    provide additional assurance that:\n     \xe2\x80\x93 System owners fully describe corrective actions taken to close\n       system-level weaknesses on POA&Ms.\n     \xe2\x80\x93 All security weaknesses are fully addressed in system-level\n       POA&Ms and included in the final certification package.\n     \xe2\x80\x93 Justifications for accepting moderate or high risk are adequately\n       documented, when circumstances warrant.\n  \xe2\x80\xa2 Procedures should be enhanced to require that certification\n    letters identify those security vulnerabilities that must be\n    remediated in order to achieve full accreditation when\n    recommending an Interim Authority to Operate (IATO).\n\n\n\n\n                                   I-10\n\x0cAccreditation Phase - Areas That Can Be Strengthened\n\n \xe2\x80\xa2 IATO guidance should be enhanced to:\n    \xe2\x80\x93 Describe how terms and conditions (i.e., limitations on\n      system operations) should be defined and documented.\n \xe2\x80\xa2 As referenced in the Initiation Phase, guidance should be\n   enhanced to better describe how common security controls\n   and system components critical to the security of an\n   application are to be considered and reported in the\n   accreditation letter.\n\n\n\n\nContinuous Monitoring Phase - Areas That Can Be\nStrengthened\n\n \xe2\x80\xa2 C&A guidelines should be enhanced to:\n    \xe2\x80\x93 Describe how security controls will be selected and monitored\n      following an IATO or full authorization to operate.\n    \xe2\x80\x93 Describe the use of POA&Ms in the status reporting\n      component of Continuous Monitoring.\n\n\n\n\n                                 I-11\n\x0c Conclusion and Recommendation\n\n  The FDIC has made significant strides in developing its\n  C&A program in response to emerging NIST requirements.\n  This report identifies opportunities for the FDIC to further\n  strengthen its C&A policies, procedures, and guidelines.\n\n  KPMG recommends that the Chief Information Officer\n  strengthen the FDIC\xe2\x80\x99s C&A policies, procedures, and\n  guidelines by considering and addressing, as appropriate, the\n  issues described in this report.\n\n\n\n\n                                                       Attachment I\nKey Observations of IG Survey\n  We surveyed IGs of seven federal agencies that had a C&A\n  program assessment rating of satisfactory or higher based on\n  their 2004 FISMA evaluation. The results are as follows.\n\xe2\x80\xa2 Most OIGs reported that their agency had categorized all of\n  their major applications and general support systems in\n  accordance with FIPS PUB 199.\n\xe2\x80\xa2 Less than one half of the OIGs reported that their agency had\n  identified "common\xe2\x80\x9d security controls. A lesser number of\n  these same agencies had certified and accredited their common\n  security controls.\n\xe2\x80\xa2 Most OIGs reported that their agency\'s system-level POA&Ms\n  included all relevant IT security weaknesses, including OIG-\n  and GAO-identified weaknesses.\n\n\n\n\n                               I-12\n\x0c                                                          Attachment I\nKey Observations of IG Survey (Cont.)\n\xe2\x80\xa2 Some IGs reported that their agencies used the Automated\n  Security Self-Evaluation and Remediation Tracking tool to\n  centrally manage the remediation of security weaknesses.\n\xe2\x80\xa2 Almost all IGs reported that their agencies had certified and\n  accredited their general support systems before certifying and\n  accrediting any overlaying applications. One OIG\n  recommended that the agency identify risks associated with\n  unaccredited general support systems in major application\n  C&A packages.\n\xe2\x80\xa2 Almost all IGs reported that their agencies had developed\n  IATO policies or procedures.\n\xe2\x80\xa2 Some IGs reported that their agencies\' C&A programs\n  included a quality assurance component (a GAO-\n  recommended practice).\n\n\n\n\n                                                        Attachment II\nPrior Audits, Performance Measures, and Fraud\n\xe2\x80\xa2 Relevant reports and correspondence include:\n   \xe2\x80\x93 September 2005 OIG report entitled, Independent Evaluation of the\n     FDIC\xe2\x80\x99s Information Security Program-2005 (Report No. 05-040)\n   \xe2\x80\x93 September 2005 OIG report entitled, Responses to Security-Related\n     Questions Raised in OMB\xe2\x80\x99s Fiscal Year 2005 Reporting\n     Instructions for FISMA and Agency Privacy Management (Report\n     No. 05-034)\n   \xe2\x80\x93 OIG Memorandum entitled, FDIC\xe2\x80\x99s Information Security Program,\n     dated November 8, 2005\n\n\n\n\n                                I-13\n\x0c                                                               Attachment II\nPrior Audits, Performance Measures, and Fraud\n(Cont.)\n\xe2\x80\xa2 KPMG did not evaluate the FDIC\xe2\x80\x99s C&A program\n  performance measures as part of the audit. Such procedures\n  were performed as part of the OIG\xe2\x80\x99s annual information\n  security evaluation required by FISMA.\n\xe2\x80\xa2 KPMG did not develop specific audit procedures to detect\n  fraud and illegal acts because they were not considered\n  material to the audit objective. However, throughout the audit,\n  KPMG was sensitive to the potential of fraud, waste, abuse,\n  and mismanagement.\n\n\n\n\n                                                               Attachment III\nLaws, Regulations, Standards, and Guidelines\n  Key statutes, regulations, standards, and guidelines:\n   \xe2\x80\x93 Federal Information Security Management Act of 2002\n   \xe2\x80\x93 OMB Circular No. A-130, Management of Federal Information Resources\n     Appendix III, Security of Federal Automated Information Resources\n   \xe2\x80\x93 OMB Memorandum M-02-1, Guidance for Preparing and Submitting Security\n     Plans of Action and Milestones\n   \xe2\x80\x93 NIST SP 800-37, Guide for the Security Certification and Accreditation of\n     Federal Information Systems\n   \xe2\x80\x93 NIST FIPS PUB 199, Standards for Security Categorization of Federal\n     Information and Information Systems\n   \xe2\x80\x93 NIST SP 800-60, Guide for Mapping Types of Information and Information\n     Systems to Security Categories\n   \xe2\x80\x93 NIST SP 800-53, Recommended Security Controls for Federal Information\n     Systems\n\n\n\n\n                                    I-14\n\x0c                                                                 Attachment IV\nAcronyms\nAcronym    Definition\nC&A        Certification and Accreditation\nCIO        Chief Information Officer\nDIT        Division of Information Technology\nFDIC       Federal Deposit Insurance Corporation\nFIPS PUB   Federal Information Processing Standard Publication\nFISMA      Federal Information Security Management Act\nGAO        Government Accountability Office\nIATO       Interim Authorization to Operate\nLIMS       Legal Integrated Management System\nNFE        New Financial Environment\nNIST       National Institute of Standards and Technology\nOIG        Office of Inspector General\nOMB        Office of Management and Budget\nPOA&M      Plan of Action and Milestones\nSAQ        Sensitivity Assessment Questionnaire\nSP         Special Publication\nST&E       Security Test and Evaluation\n\n\n\n\n                                 I-15\n\x0c                                                                                                                Attachment V\nGlossary\n           Term                                                            Definition\n\nAccreditation               Official management decision given by a senior agency official to authorize operation of an\n                            information system and to explicitly accept the risk to agency operations, agency assets, or individuals\n                            based on the implementation of an agreed-upon set of security controls.\n\nAccreditation Package       The evidence provided to the authorizing official to be used in the security accreditation decision\n                            process. Evidence includes, but is not limited to: (a) the system security plan; (b) the assessment\n                            results form the security certification; and (c) the plan of action and milestones.\n\nAuthorizing Official        Official with the authority to formally assume responsibility for operating an information system at an\n                            acceptable level of risk to agency operations (including mission, functions, image, or reputation);\n                            agency assets; or individuals.\n\nCertification Agent         The individual, group, or organization responsible for conducting a security certification.\n\nCertification               Comprehensive assessment of the management, technical, and operational security controls in an\n                            information system, made in support of security accreditation to determine the extent to which controls\n                            are implemented correctly, operating as intended, and producing the desired outcome with respect to\n                            meeting the security requirements of the system.\n\nChief Information Officer   Agency official responsible for:\n                            \xe2\x80\xa2 Providing advice and other assistance to the head of the executive agency and other senior\n                               management personnel to ensure that agency information technology is acquired and information\n                               resources are managed in a manner that is consistent with laws, Executive Orders, directives,\n                               policies, regulations, and priorities established by the head of the agency.\n                            \xe2\x80\xa2 Developing, maintaining, and facilitating the implementation of a sound and integrated information\n                               technology architecture for the agency.\n                            \xe2\x80\xa2 Promoting the effective and efficient design and operations of all major information resources\n                               management processes for the agency, including improvements to work processes of the agency.\n\n\n\n\n                                                              I-16\n\x0c                                                                                                                  Attachment V\nGlossary (Cont.)\n           Term                                                             Definition\n\nCommon Security Control    Security control that can be applied to one or more agency information systems and has the following\n                           properties: (a) the development, implementation, and assessment of the control can be assigned to a\n                           responsible official or organizational element (other than the information system owner); and (b) the\n                           results from the assessment of the control can be used to support the security C&A processes of any\n                           agency information system where that control has been applied.\n\nFederal Information        An information system used or operated by an executive agency, a contractor of an executive agency,\nSystem                     or another organization on behalf of an executive agency.\n\nGeneral Support System     An interconnected set of information resources under the same direct management control. This\n                           system normally includes hardware, software, information, data, applications, communications, and\n                           people.\n\nInformation Security       The protection of information and information systems from unauthorized access, use, disclosure,\n                           disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.\n\nInformation System         A discrete set of information resources organized for the collection, processing, maintenance, use,\n                           sharing, dissemination, or disposition of information.\n\nInformation System Owner   Official responsible for the overall procurement, development, integration, modification, or operation\n                           and maintenance of an information system.\n\nInformation Systems        Individual responsible to the senior agency information security officer, authorizing official, or\nManager                    information systems owner or ensuring the appropriate operational security posture is maintained for\n                           an information system or program.\n\nMajor Application          An application that requires special attention due to the risk and magnitude of the harm that would\n                           result in the loss, misuse, or unauthorized access to or modification of information in the application.\n\n\n\n\n                                                               I-17\n\x0c                                                                                                          Attachment V\nGlossary (Cont.)\n           Term                                                        Definition\n\nManagement Controls    The security controls (i.e., safeguards or countermeasures) for an information system that focus on the\n                       management of risk and the management of information system security.\n\nNIST                   National Institute of Standards and Technology \xe2\x80\x93 a government agency charged with establishing\n                       guidance for IT security.\n\nOperational Controls   The security controls (i.e., safeguards or countermeasures) for an information system that primarily are\n                       implemented and executed by people (as opposed to systems).\n\nPlan of Action and     A document that identifies tasks needing to be accomplished. It details resources required to\nMilestones             accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion\n                       dates for the milestones.\n\nPotential Impact       Low: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse\n                       effect on organizational operations, organizational assets, or individuals.\n                       Moderate: The loss of confidentiality, integrity, or availability could be expected to have a serious\n                       adverse effect on organizational operations, organizational assets, or individuals.\n                       High: The loss of confidentiality, integrity, or availability could be expected to have a severe or\n                       catastrophic adverse effect on organizational operations, organizational assets, or individuals.\n\n\n\nRisk                   The level of impact on agency operations (including mission, functions, image, or reputation); agency\n                       assets; or indviudal resulting from the operation of an information system given the potential impact of\n                       a threat and the likelihood of that threat occurring.\n\nRisk Assessment        The process of identifying risks to agency operations (including mission, functions, image, or\n                       reputation); agency assets; or individuals by determining the probability of occurrence, the resulting\n                       impact, and additional security controls that would mitigate this impact. A risk assessment is part risk\n                       management, synonymous with risk analysis, and incorporates threat and vulnerabilty analysis.\n\n\n\n\n                                                         I-18\n\x0c                                                                                                                  Attachment V\nGlossary (Cont.)\n           Term                                                             Definition\n\nRisk Management             The process of managing risks to agency operations (including mission, functions, image, or\n                            reputation); agency assets; or individuals resulting form the operation of an information system. IT\n                            includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of\n                            security controls; and the formal authorization to operate that system. The process considers\n                            effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.\n\nSecurity Category           The characterization of information or an information system based on an assessment of potential\n                            impact that a loss of confidentiality, integrity, or availability of such information or information system\n                            would have on organizational operations, organization assets, or individuals.\n\nSecurity Controls           The management, operational, and technical controls (i.e., safeguards or countermeasures)\n                            prescribed for an information system to protect the confidentiality, integrity, and availability of the\n                            system and its information.\n\nSenior Agency Information   Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and\nSecurity Officer            serving as the Chief Information Officer\'s primary liaison to the agency\xe2\x80\x99s authorizing officials,\n                            information system owners, and information system security officers.\n\nSensitive Non-Major         An application that processes a lesser degree of sensitive information than a major application but\nApplication                 still requires some extra attention to security risks and controls.\n\nSystem Security Plan        Formal document that provides an overview of the security requirement for the information system\n                            and describes the security controls in place or planned for meeting those requirements.\n\nTechnical Controls          The security controls (i.e., safeguards or countermeasures) for an information system that are\n                            primarily implemented and executed by the information system through mechanisms contained in the\n                            hardware, software, or firmware components of the system.\n\nVulnerability               Weakness in an information system, system security procedures, internal controls, or implementation\n                            that could be exploited or triggered.\n\n\n\n\n                                                                I-19\n\x0c                Part II\n\n\n\nCorporation Comments and OIG Evaluation\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nThe report contains one recommendation for the CIO and Director of DIT. The CIO provided a\nwritten response to the draft report on February 1, 2006. This response is presented in its\nentirety on page II-2. DIT management concurred with the recommendation, which we consider\nresolved, but it will remain open for reporting purposes until we have determined that agreed-to\ncorrective actions have been completed and are effective. DIT\xe2\x80\x99s response to the\nrecommendation is summarized below, along with our evaluation of the response.\n\nRecommendation 1: KPMG recommends that the Chief Information Officer strengthen the\nFDIC\xe2\x80\x99s C&A policies, procedures, and guidelines by considering and addressing, as appropriate,\nthe issues described in this report.\n\nDIT Response: DIT concurs with the recommendation. DIT has worked with the OIG audit\nteam to begin assessing the observations made in the draft report. DIT has drafted a matrix that\ndocuments DIT\xe2\x80\x99s consideration of the observations. DIT reviewed the status of this effort with\nthe OIG and Office of Enterprise Risk Management on January 18, 2006. It was agreed that the\nprovision of the completed matrix would satisfy the recommendation and that the OIG would\nreview DIT\xe2\x80\x99s actions regarding these issues in the 2006 Federal Information Security\nManagement Act evaluation. DIT will complete the matrix and provide it to the OIG by April 5,\n2006.\n\nOIG Evaluation of Response: DIT\xe2\x80\x99s consideration of the observations and resulting matrix\nsatisfies the intent of the recommendation. We consider the recommendation resolved, but it will\nremain open until we have determined that each observation was considered and addressed in the\nmatrix.\n\n\n\n\n                                              II-1\n\x0c\x0c                                                   MANAGEMENT RESPONSE TO RECOMMENDATION\n       This table presents the management response on the recommendation in our report and the status of the recommendation as of the date\n       of report issuance.\n                                                                                                                                                                      Open\n            Rec.                                                                                                  Expected           Monetary        Resolved:a        or\n           Number                        Corrective Action: Taken or Planned/Status                            Completion Date       Benefits        Yes or No       Closedb\n             1        DIT has begun assessing the observations made in the draft report. DIT will provide a\n                      matrix that documents DIT\xe2\x80\x99s consideration of the observations.                                4/5/06              N/A             Yes              Open\n\n\n       a\n            Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n                       (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n                       (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n                           as management provides an amount.\n       b\n            Once the OIG determines that agreed-to-corrective actions have been completed and are effective, the recommendation can be closed.\nII-3\n\x0c'